USB: cdc-wdm: fix race between interrupt handler and tasklet
authorOliver Neukum <oneukum@suse.de>
Tue, 6 Aug 2013 12:22:59 +0000 (14:22 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 12 Aug 2013 22:41:07 +0000 (15:41 -0700)
Both could want to submit the same URB. Some checks of the flag
intended to prevent that were missing.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/class/cdc-wdm.c

index 8a230f0ef77c77b9acef90b86ab902e9cd4999eb..d3318a0df8ee503f4f5ee553cda3ff1391298be4 100644 (file)
@@ -209,6 +209,7 @@ skip_error:
 static void wdm_int_callback(struct urb *urb)
 {
        int rv = 0;
+       int responding;
        int status = urb->status;
        struct wdm_device *desc;
        struct usb_cdc_notification *dr;
@@ -262,8 +263,8 @@ static void wdm_int_callback(struct urb *urb)
 
        spin_lock(&desc->iuspin);
        clear_bit(WDM_READ, &desc->flags);
-       set_bit(WDM_RESPONDING, &desc->flags);
-       if (!test_bit(WDM_DISCONNECTING, &desc->flags)
+       responding = test_and_set_bit(WDM_RESPONDING, &desc->flags);
+       if (!responding && !test_bit(WDM_DISCONNECTING, &desc->flags)
                && !test_bit(WDM_SUSPENDING, &desc->flags)) {
                rv = usb_submit_urb(desc->response, GFP_ATOMIC);
                dev_dbg(&desc->intf->dev, "%s: usb_submit_urb %d",
@@ -685,16 +686,20 @@ static void wdm_rxwork(struct work_struct *work)
 {
        struct wdm_device *desc = container_of(work, struct wdm_device, rxwork);
        unsigned long flags;
-       int rv;
+       int rv = 0;
+       int responding;
 
        spin_lock_irqsave(&desc->iuspin, flags);
        if (test_bit(WDM_DISCONNECTING, &desc->flags)) {
                spin_unlock_irqrestore(&desc->iuspin, flags);
        } else {
+               responding = test_and_set_bit(WDM_RESPONDING, &desc->flags);
                spin_unlock_irqrestore(&desc->iuspin, flags);
-               rv = usb_submit_urb(desc->response, GFP_KERNEL);
+               if (!responding)
+                       rv = usb_submit_urb(desc->response, GFP_KERNEL);
                if (rv < 0 && rv != -EPERM) {
                        spin_lock_irqsave(&desc->iuspin, flags);
+                       clear_bit(WDM_RESPONDING, &desc->flags);
                        if (!test_bit(WDM_DISCONNECTING, &desc->flags))
                                schedule_work(&desc->rxwork);
                        spin_unlock_irqrestore(&desc->iuspin, flags);